Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]comedi: fix race between polling and detaching[EOL][EOL]syzbot reports a use-after-free in comedi in the below link, which is[EOL]due to comedi gladly removing the allocated async area even though poll[EOL]requests are still active on the wait_queue_head inside of it. This can[EOL]cause a use-after-free when the poll entries are later triggered or[EOL]removed, as the memory for the wait_queue_head has been freed.  We need[EOL]to check there are no tasks queued on any of the subdevices' wait queues[EOL]before allowing the device to be detached by the `COMEDI_DEVCONFIG`[EOL]ioctl.[EOL][EOL]Tasks will read-lock `dev->attach_lock` before adding themselves to the[EOL]subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl[EOL]handler by write-locking `dev->attach_lock` before checking that all of[EOL]the subdevices are safe to be deleted.  This includes testing for any[EOL]sleepers on the subdevices' wait queues.  It remains locked until the[EOL]device has been detached.  This requires the `comedi_device_detach()`[EOL]function to be refactored slightly, moving the bulk of it into new[EOL]function `comedi_device_detach_locked()`.[EOL][EOL]Note that the refactor of `comedi_device_detach()` results in[EOL]`comedi_device_cancel_all()` now being called while `dev->attach_lock`[EOL]is write-locked, which wasn't the case previously, but that does not[EOL]matter.[EOL][EOL]Thanks to Jens Axboe for diagnosing the problem and co-developing this[EOL]patch.

CREATE(Triage):(User=admin) [CVE-2025-38687 (https://nvd.nist.gov/vuln/detail/CVE-2025-38687)